Installation
This page documents the installation of the AIStor Key Encryption Service.
You may require root or sudo permissions to perform some of the steps.
-
Install the AIStor KES binary on each node in your KES cluster.
-
Start the KES server
The following command starts a single-node KES server with a data directory of
/etc/kes/dataand listens on port7373:kes server --address :7373 --data /etc/kes/data --license SUBNET-LICENSESee the KES documentation for additional configuration options.
For long-term production deployments, you can run KES as a
systemd service. Modify the service file to include the--license SUBNET-LICENSEparameter in theExecStartline. -
Connect to the KES server
Once installed, set the following environment variables to allow the
kesprocess to communicate with the remote KES server:export KES_SERVER=https://kes-1.example.net:7373 export KES_API_KEY=IDENTITYThe
IDENTITYcorresponds to a configured identity with access to the KES server and API operations. You can retrieve the root identity by viewing the KES server startup logs. If you configured additional identities as part of the KES configuration you can specify those values instead.See the KES documentation on policies and identities for more information on identity and access management.
The
kesclient by default must validate the remote KES server certificate as part of establishing a connection. The client uses both the system trust store of Certificate Authorities and the content of the$HOME/.kes/certs/CAsdirectory during validation. Ensure either the trust store or theCAsdirectory contain the necessary root and intermediate certificates for validating the remote KES server.